Closed Bug 15769 Opened 20 years ago Closed 20 years ago

[BLOCKER][CRASHER][TESTCASE] Having <select></select> without options inside crash application.

Categories

(Core :: Layout: Form Controls, defect, P1, blocker)

x86
All
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: desale, Assigned: pollmann)

References

Details

Attachments

(1 file)

Having <select></select> without options inside, crash application real hard.

BUILDS: 10-06-19 [M10][Apprunner/Viewer]

STEPS TO REPRODUCE:
1] Please copy code I'm providing. Save it as HTML file.
2] Open this HTML file with apprunner as well as viewer.

EXPECTED RESULTS:
Application should simply load the page.

ACTUAL RESULTS:
Application crashes.

DESCRIPTION:
Application is crashing because of having empty select list in HTML code.
We can have empty select list because we can expect cgi to fill this select
depending on the data coming from cgi.
Having
<select>
</select>
in HTML code is crashing application.
On other hand if we put option inside the select list then it does not crash.
If we use
<select>
<option>opt1</option>
</select>
then it does not crash.
So having empty select is crashing the application.

CODE:

<html>
<head>
<title>Tester.html</title>
</head>
<body>
<form name="workform" >
<select>
</select>
</form>
</body>
</html>

END OF CODE:

STACK REPORT
Incident ID: 14133930
Trigger Type:  Program Crash
Trigger Reason:  Access violation


Call Stack:    (Signature = nsListControlFrame::DisplaySelected 4708ac3c)

nsListControlFrame::DisplaySelected
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line
545]

nsListControlFrame::SetContentSelected
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line
1220]

nsListControlFrame::Reset
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line
1339]

nsListControlFrame::Init
[d:\builds\seamonkey\mozilla\layout\html\forms\src\nsListControlFrame.cpp, line
981]

nsCSSFrameConstructor::InitializeScrollFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4038]

nsCSSFrameConstructor::ConstructSelectFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2950]

nsCSSFrameConstructor::ConstructFrameByTag
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3060]

nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4869]

nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7987]

nsCSSFrameConstructor::ConstructFrameByTag
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3153]

nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4869]

nsCSSFrameConstructor::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5417]

StyleSetImpl::ContentAppended
[d:\builds\seamonkey\mozilla\layout\base\src\nsStyleSet.cpp, line 864]

PresShell::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 1724]

nsDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 1575]

nsHTMLDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line
1044]

HTMLContentSink::NotifyBody
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp,
line 276]

HTMLContentSink::WillInterrupt
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp,
line 1770]

CNavDTD::WillInterruptParse
[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3116]

nsParser::ResumeParse
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 958]

nsParser::OnDataAvailable
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1340]

nsDocumentBindInfo::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1372]

nsChannelListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1613]

nsHTTPResponseListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp
p, line 195]

nsOnDataAvailableEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
359]

nsStreamListenerEvent::HandlePLEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
153]

PL_HandleEvent
[plevent.c, line 542]

PL_ProcessPendingEvents
[plevent.c, line 501]

_md_EventReceiverProc
[plevent.c, line 974]

KERNEL32.DLL + 0x35d9 (0xbff735d9)

KERNEL32.DLL + 0x2222f (0xbff9222f)

0x00638bec
Priority: P3 → P1
QA Contact: cpratt → desale
Summary: [CRASHER][TESTCASE] Having <select></select> without options inside crash application. → [BLOCKER][CRASHER][TESTCASE] Having <select></select> without options inside crash application.
Changing priority to P1 and QA contact to myself. Pratt is this okay if I keep
QA contact ?
Assignee: karnaze → rods
Severity: normal → blocker
Reassigning to Rod.
Target Milestone: M11
Setting to M11.
I fixed this a while ago. This works for me, although I was mucking about in the
select code and just did a check in. This test is in test8 in the viewer and
apprunner. test8 has been working and quite sometme. Please repull or wait until
tomorrow and test it then after verifications.

Tomorrow I will mark as works for me.
I'm not seeing a "crash", but I see a couple of asserts because of this check:
  if (mSelectionCacheLength != length) {
    NS_ASSERTION(0,"nsListControlFrame: Cache sync'd with content!\n");
when adding items to a list in JavaScript. I notice that if there's no items
added, there is a "X" that appears as a single list item -- so the above
check fails since mSelectionCacheLength = 0 but length = 1 (for the "X")
Stack:
nsListControlFrame::UpdateSelection(nsListControlFrame * const 0x02e52524, int
0, nsIContent * 0x02e326d0) line 1724 + 35 bytes
nsComboboxControlFrame::UpdateSelection(nsComboboxControlFrame * const
0x02e52884, int 0, int 1, int -1) line 986
Assignee: rods → pollmann
The asserts are in Eric P. new code and this then needs to be assigned to him.
The "X" shouldn't be appearing. If it is it is because the visibility (shown
below) is incorrectly set to collapse instead of hidden. It should be hidden
now.

select:-moz-dummy-option {
  visibility: hidden;
  content: "X";
  /*display: block;*/
}

Assigning to Eric to check for the problem with the asserts.
*** Bug 16062 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
This crash has been fixed in M11.  I'll look into those asserts.  Charlie, do
you have a testcase that will reproduce them?
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I'm now resizing the cache eagerly when an option is added or removed.  This got
rid of the assert I was able to reproduce.

To verify, browse to the attachment I'm about to make.  Click on the
RemoveOption button.  You should not see any warnings printed out to the
terminal.
Attached file Test Case
Status: RESOLVED → VERIFIED
Marking verified.
*** Bug 17355 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.